With a year to go until the General Data Protection Regulation comes into law, the British Chambers of Commerce (BCC) is urging businesses to start preparing to ensure that they are compliant with the legislation when it comes into force.

From 25 May 2018, all businesses that hold personal data will have to guarantee that their data procedures are fit for purpose and compliant with the new regulation.

While the GDPR is an EU-initiative, the UK government has already made it clear that the legislation will still take effect in the UK after Brexit. Businesses that are found to be non-compliant risk potential fines of up to €20 million or 4% of annual worldwide turnover.

Chambers of Commerce around the country are urging their members to start taking the necessary preparations to ensure they are ready for the regulation.

Steps for businesses to take include:

Document what personal data the company holds, where it came from and who it is shared with. Firms may want to consider organising an information audit or speaking to a data expert

Review current privacy notices and plan for any necessary changes needed before the implementation deadline

Check procedures to ensure that they cover all the rights individuals have under the new rules, including how to delete personal data or provide data electronically if needed

Review how the company seeks, obtains and records consent from individuals, and whether any changes are necessary

Ensure the right procedures are in place to detect, report and investigate a personal data breach

Determine whether a Data Protection Officer is required, and designate one if so, to take responsibility for data protection compliance and assess how the role will sit within the organisation.

For more steps on preparing for the General Data Protection Regulation, businesses should revert to the Information Commissioner’s Office checklist.

David Riches, Executive Director at the British Chambers of Commerce (BCC), said:

“Businesses need to be proactive about ensuring they are ready for the new data protection regulations when they come into force this time next year, and not leave preparations until the eleventh hour. Those firms that don’t fulfil the necessary responsibilities leave themselves vulnerable to tough penalties, not to mention public scrutiny.

“With twelve months to go, there are a number of procedures businesses should be reviewing to determine what changes may need to be introduced to be compliant. Businesses that are already vigilant about their data protection responsibilities won’t be unduly burdened by the new legislation.

“The General Data Protection Regulation is intended to reflect modern working practices in the digital age, and will strengthen consumer trust and confidence in businesses. It will establish a single set of rules across Europe, which will make it simpler and cheaper for UK companies to do business across the continent, even after we leave the EU.”